Vulnerabilities > CVE-2004-0411 - Argument Injection or Modification vulnerability in KDE Konqueror
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Try All Common Application Switches and Options An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is blindly attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.
- Using Meta-characters in E-mail Headers to Inject Malicious Payloads This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
- HTTP Parameter Pollution (HPP) An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200405-11.NASL description The remote host is affected by the vulnerability described in GLSA-200405-11 (KDE URI Handler Vulnerabilities) The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for last seen 2020-06-01 modified 2020-06-02 plugin id 14497 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14497 title GLSA-200405-11 : KDE URI Handler Vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200405-11. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14497); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0411"); script_xref(name:"GLSA", value:"200405-11"); script_name(english:"GLSA-200405-11 : KDE URI Handler Vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200405-11 (KDE URI Handler Vulnerabilities) The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning of the hostname passed. By crafting a malicious URI and entice an user to click on it, it is possible to pass an option to the programs started by the handlers (typically telnet, kmail...). Impact : If the attacker controls the options passed to the URI handling programs, it becomes possible for example to overwrite arbitrary files (possibly leading to denial of service), to open kmail on an attacker-controlled remote display or with an alternate configuration file (possibly leading to control of the user account). Workaround : There is no known workaround at this time. All users are advised to upgrade to a corrected version of kdelibs." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200405-11" ); script_set_attribute( attribute:"solution", value: "Users of KDE 3.1 should upgrade to the corrected version of kdelibs: # emerge sync # emerge -pv '=kde-base/kdelibs-3.1.5-r1' # emerge '=kde-base/kdelibs-3.1.5-r1' Users of KDE 3.2 should upgrade to the latest available version of kdelibs: # emerge sync # emerge -pv '>=kde-base/kdelibs-3.2.2-r1' # emerge '>=kde-base/kdelibs-3.2.2-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:kdelibs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"kde-base/kdelibs", unaffected:make_list("ge 3.2.2-r1", "eq 3.1.5-r1"), vulnerable:make_list("le 3.2.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kde-base/kdelibs"); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-122.NASL description iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that a similar vulnerability exists in KDE. A flaw in the telnet URL handler can allow options to be passed to the telnet program which can be used to allow file creation or overwriting. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0411 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13700 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13700 title Fedora Core 2 : kdelibs-3.2.2-6 (2004-122) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-122. # include("compat.inc"); if (description) { script_id(13700); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0411"); script_xref(name:"FEDORA", value:"2004-122"); script_name(english:"Fedora Core 2 : kdelibs-3.2.2-6 (2004-122)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that a similar vulnerability exists in KDE. A flaw in the telnet URL handler can allow options to be passed to the telnet program which can be used to allow file creation or overwriting. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0411 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-May/000126.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6151bdcc" ); script_set_attribute( attribute:"solution", value: "Update the affected kdelibs, kdelibs-debuginfo and / or kdelibs-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kdelibs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kdelibs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kdelibs-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"kdelibs-3.2.2-6")) flag++; if (rpm_check(release:"FC2", reference:"kdelibs-debuginfo-3.2.2-6")) flag++; if (rpm_check(release:"FC2", reference:"kdelibs-devel-3.2.2-6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kdelibs / kdelibs-debuginfo / kdelibs-devel"); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-121.NASL description iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that a similar vulnerability exists in KDE. A flaw in the telnet URL handler can allow options to be passed to the telnet program which can be used to allow file creation or overwriting. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0411 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13699 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13699 title Fedora Core 1 : kdelibs-3.1.4-5 (2004-121) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-121. # include("compat.inc"); if (description) { script_id(13699); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0411"); script_xref(name:"FEDORA", value:"2004-121"); script_name(english:"Fedora Core 1 : kdelibs-3.1.4-5 (2004-121)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that a similar vulnerability exists in KDE. A flaw in the telnet URL handler can allow options to be passed to the telnet program which can be used to allow file creation or overwriting. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0411 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-May/000123.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1fb73008" ); script_set_attribute( attribute:"solution", value: "Update the affected kdelibs, kdelibs-debuginfo and / or kdelibs-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kdelibs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kdelibs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kdelibs-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"kdelibs-3.1.4-5")) flag++; if (rpm_check(release:"FC1", reference:"kdelibs-debuginfo-3.1.4-5")) flag++; if (rpm_check(release:"FC1", reference:"kdelibs-devel-3.1.4-5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kdelibs / kdelibs-debuginfo / kdelibs-devel"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_DF333EDEA8CE11D89C6D0020ED76EF5A.NASL description Karol Wiesek and Greg MacManus reported via iDEFENSE that the Opera web browser contains a flaw in the handling of certain URIs. When presented with these URIs, Opera would invoke external commands to process them after some validation. However, if the hostname component of a URI begins with a `- last seen 2020-06-01 modified 2020-06-02 plugin id 37850 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37850 title FreeBSD : URI handler vulnerabilities in several browsers (df333ede-a8ce-11d8-9c6d-0020ed76ef5a) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(37850); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2004-0411"); script_name(english:"FreeBSD : URI handler vulnerabilities in several browsers (df333ede-a8ce-11d8-9c6d-0020ed76ef5a)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Karol Wiesek and Greg MacManus reported via iDEFENSE that the Opera web browser contains a flaw in the handling of certain URIs. When presented with these URIs, Opera would invoke external commands to process them after some validation. However, if the hostname component of a URI begins with a `-', it may be treated as an option by an external command. This could have undesirable side-effects, from denial-of-service to code execution. The impact is very dependent on local configuration. After the iDEFENSE advisory was published, the KDE team discovered similar problems in KDE's URI handlers." ); # http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?aacb7758" ); # http://www.kde.org/info/security/advisory-20040517-1.txt script_set_attribute( attribute:"see_also", value:"https://www.kde.org/info/security/advisory-20040517-1.txt" ); # http://freebsd.kde.org/index.php#n20040517 script_set_attribute( attribute:"see_also", value:"https://freebsd.kde.org/index.php#n20040517" ); # https://vuxml.freebsd.org/freebsd/df333ede-a8ce-11d8-9c6d-0020ed76ef5a.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6d1cdf7f" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:kdelibs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-opera"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/12"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"linux-opera<7.50")) flag++; if (pkg_test(save_report:TRUE, pkg:"opera<7.50")) flag++; if (pkg_test(save_report:TRUE, pkg:"kdelibs<3.2.2_3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_URI_VULNS.NASL description The following package needs to be updated: kdelibs last seen 2016-09-26 modified 2004-07-06 plugin id 12620 published 2004-07-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=12620 title FreeBSD : URI handler vulnerabilities in several browsers (197) code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated by freebsd_pkg_df333edea8ce11d89c6d0020ed76ef5a.nasl. # # Disabled on 2011/10/02. # # # (C) Tenable Network Security, Inc. # # This script contains information extracted from VuXML : # # Copyright 2003-2006 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # include('compat.inc'); if ( description ) { script_id(12620); script_version("1.11"); script_cve_id("CVE-2004-0411"); script_name(english:"FreeBSD : URI handler vulnerabilities in several browsers (197)"); script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update'); script_set_attribute(attribute:'description', value:'The following package needs to be updated: kdelibs'); script_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P'); script_set_attribute(attribute:'solution', value: 'Update the package on the remote host'); script_set_attribute(attribute: 'see_also', value: 'http://freebsd.kde.org/index.php#n20040517 http://secunia.com/advisories/11817 http://secunia.com/advisories/12309 http://security.e-matters.de/advisories/092004.html http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities http://www.idefense.com/application/poi/display?id=130&type=vulnerabilities&flashstatus=false http://www.kde.org/info/security/advisory-20040517-1.txt http://www.mozilla.org/security/announce/2006/mfsa2006-09.html http://www.mozilla.org/security/announce/2006/mfsa2006-10.html http://www.mozilla.org/security/announce/2006/mfsa2006-11.html http://www.mozilla.org/security/announce/2006/mfsa2006-12.html http://www.mozilla.org/security/announce/2006/mfsa2006-13.html http://www.mozilla.org/security/announce/2006/mfsa2006-14.html http://www.mozilla.org/security/announce/2006/mfsa2006-15.html https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104'); script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/df333ede-a8ce-11d8-9c6d-0020ed76ef5a.html'); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06"); script_end_attributes(); script_summary(english:"Check for kdelibs"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); family["english"] = "FreeBSD Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/FreeBSD/pkg_info"); exit(0); } # Deprecated. exit(0, "This plugin has been deprecated. Refer to plugin #37850 (freebsd_pkg_df333edea8ce11d89c6d0020ed76ef5a.nasl) instead."); global_var cvss_score; cvss_score=7; include('freebsd_package.inc'); pkg_test(pkg:"linux-opera<7.50"); pkg_test(pkg:"opera<7.50"); pkg_test(pkg:"kdelibs<3.2.2_3");NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_014.NASL description The remote host is missing the patch for the advisory SuSE-SA:2003:014 (kdelibs/kdelibs3). The kdelibs3 (kdelibs for SLES7 based products) package is a core package for the K desktop environment (KDE). The URI handler of the kdelibs3 and kdelibs class library contains a flaw which allows remote attackers to create arbitrary files as the user utilizing the kdelibs3/kdelibs package. Affected are applications which use the kdelibs3/kdelibs URI handler such as Konqueror or Kmail. The original KDE advisory can be found at http://www.kde.org/info/security/advisory-20040517-1.html Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13785 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13785 title SuSE-SA:2003:014: kdelibs/kdelibs3 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SuSE-SA:2003:014 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13785); script_version ("1.13"); script_cve_id("CVE-2004-0411"); name["english"] = "SuSE-SA:2003:014: kdelibs/kdelibs3"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SuSE-SA:2003:014 (kdelibs/kdelibs3). The kdelibs3 (kdelibs for SLES7 based products) package is a core package for the K desktop environment (KDE). The URI handler of the kdelibs3 and kdelibs class library contains a flaw which allows remote attackers to create arbitrary files as the user utilizing the kdelibs3/kdelibs package. Affected are applications which use the kdelibs3/kdelibs URI handler such as Konqueror or Kmail. The original KDE advisory can be found at http://www.kde.org/info/security/advisory-20040517-1.html Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2004_14_kdelibs.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the kdelibs/kdelibs3 package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"kdelibs3-3.0-120", release:"SUSE8.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kdelibs3-3.0.5-54", release:"SUSE8.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kdelibs3-3.1.1-139", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kdelibs3-3.1.4-51", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"kdelibs3-3.2.1-44.10", release:"SUSE9.1") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"kdelibs-", release:"SUSE8.0") || rpm_exists(rpm:"kdelibs-", release:"SUSE8.1") || rpm_exists(rpm:"kdelibs-", release:"SUSE8.2") || rpm_exists(rpm:"kdelibs-", release:"SUSE9.0") || rpm_exists(rpm:"kdelibs-", release:"SUSE9.1") ) { set_kb_item(name:"CVE-2004-0411", value:TRUE); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-222.NASL description Updated kdelibs packages that fix telnet URI handler and mailto URI handler file vulnerabilities are now available. The kdelibs packages include libraries for the K Desktop Environment. KDE Libraries include: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (JavaScript), kab (addressbook), kimgio (image manipulation). Konqueror is a file manager and Web browser for the K Desktop Environment (KDE). iDEFENSE identified a vulnerability in the Opera web browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found two similar vulnerabilities that also exist in KDE. A flaw in the telnet URI handler may allow options to be passed to the telnet program, resulting in creation or replacement of files. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file with the victim last seen 2020-06-01 modified 2020-06-02 plugin id 12499 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12499 title RHEL 2.1 / 3 : kdelibs (RHSA-2004:222) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-238-01.NASL description New kdelibs packages are available for Slackware 9.0, 9.1 and -current to fix security issues with URI handling. last seen 2020-06-01 modified 2020-06-02 plugin id 18753 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18753 title Slackware 9.0 / 9.1 / current : kdelibs (SSA:2004-238-01) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-518.NASL description iDEFENSE identified a vulnerability in the Opera web browser that could be used by remote attackers to create or truncate arbitrary files on the victims machine. The KDE team discovered that a similar vulnerability exists in KDE. A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file in the victims home directory. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI. last seen 2020-06-01 modified 2020-06-02 plugin id 15355 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15355 title Debian DSA-518-1 : kdelibs - unsanitised input NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-047.NASL description A vulnerability in the Opera web browser was identified by iDEFENSE; the same type of vulnerability exists in KDE. The telnet, rlogin, ssh, and mailto URI handlers do not check for last seen 2020-06-01 modified 2020-06-02 plugin id 14146 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14146 title Mandrake Linux Security Advisory : kdelibs (MDKSA-2004:047)
Oval
| accepted | 2007-04-25T19:53:10.684-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| description | The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:954 | ||||||||
| status | accepted | ||||||||
| submitted | 2004-05-19T12:00:00.000-04:00 | ||||||||
| title | Konqueror URI Handler "-" Filter Vulnerability | ||||||||
| version | 38 |
Redhat
| advisories |
|
References
- http://www.securityfocus.com/archive/1/363225
- http://www.kde.org/info/security/advisory-20040517-1.txt
- http://www.redhat.com/support/errata/RHSA-2004-222.html
- http://www.novell.com/linux/security/advisories/2004_14_kdelibs.html
- http://security.gentoo.org/glsa/glsa-200405-11.xml
- http://www.debian.org/security/2004/dsa-518
- http://www.ciac.org/ciac/bulletins/o-146.shtml
- http://www.securityfocus.com/bid/10358
- http://www.osvdb.org/6107
- http://secunia.com/advisories/11602
- http://www.securityfocus.com/advisories/6717
- http://www.securityfocus.com/advisories/6743
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000843
- http://www.slackware.org/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.362635
- http://marc.info/?l=bugtraq&m=108481412427344&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16163
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A954